CVE-2025-11065 Red Hat CVE debrief

Who should care

Developers and security teams using the github.com/go-viper/mapstructure/v2 package should be aware of this vulnerability. The vulnerability allows information disclosure, which could potentially lead to security issues if exploited. Users of this package, especially those processing sensitive data, should take necessary precautions to mitigate the risk.

Technical summary

The vulnerability is caused by the mapstructure.WeakDecode function in the github.com/go-viper/mapstructure/v2 package. This function processes user-supplied data and generates detailed error messages that may contain sensitive information. An attacker could potentially exploit this vulnerability by providing malformed data to leak sensitive information. The vulnerability has a CVSS score of 5.3 and is classified as CWE-209. The affected package is widely used in Go applications for decoding and mapping data.

Defensive priority

This vulnerability should be prioritized for remediation, especially in applications handling sensitive data. The risk of information disclosure is medium, but the potential impact could be significant depending on the context in which the vulnerable package is used.

Recommended defensive actions

• Review and update github.com/go-viper/mapstructure/v2 to the latest version.
• Implement input validation and sanitization for data processed by the mapstructure.WeakDecode function.
• Configure logging to avoid leaking sensitive information in error messages.
• Monitor applications using the vulnerable package for potential security incidents.
• Consider using alternative packages or versions that are not vulnerable.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Red Hat and GitHub also reference this vulnerability, indicating potential impact on related products and projects. However, specific details about affected products and versions are limited.

Official resources